Insecure stream cipher (RC4)
Description
The RC4 algorithm is vulnerable to many attacks and should no longer be used for encrypting data streams. Consider using libsodium's `crypto_secretstream_xchacha20poly1305` stream cipher encryption functions instead. For more information please see: https://libsodium.gitbook.io/doc/secret-key_cryptography/secretstream. If you must be FIPS compliant, consider using OpenSSL's AES or 3DES ciphers.
Examples
Insecure Code
c
EVP_rc4_40();
EVP_rc2_40_cbc();
EVP_rc2_64_cbc();Secure Code
c
crypto_secretstream_xchacha20poly1305_init();Remediation
Replace RC4, RC2_40_cbc, and RC2_64_cbc with a secure stream cipher like libsodium's `crypto_secretstream_xchacha20poly1305` or OpenSSL's AES.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0587 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-327 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | insecure cipher, RC4, RC2 |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |